‼️Abusing PrintNightmare
CVE-2021-1675
Github: https://github.com/cube0x0/CVE-2021-1675
"PrintNightmare" refers to an RCE (Remote Command Execution) vulnerability. If the vulnerable machine is configured to reject remote connection, this vulnerability could still be exploited in an LPE (Local Privilege Escalation) context.
To test if a machine is vulnerable to PrintNightmare, we can utilize the PoC methodology:
MS-RPRN and MS-PAR refer to Microsoft protocols used for managing printing operations in a Windows environment.
And if the output of this command is the following:
The target is vulnerable to PrintNightmare 👿
If we want to continue exploiting this vuln, this is the methodology:
First, we need to install the correct version of impacket:
We then need to copy the raw code of the CVE python file and paste it in the CVE.py file we juste cloned:
So basically for the following steps we are going to create a malicious DLL, host it and run it using the scripts provided by the repo:
Methodology:
We first need to create our malicious DLL file with MsVenom
Now we can just launch msfconsole and type in the following commands to set options:
Set LHOST and LPORT to your local machine and any unused port and run the run command to activate listener
Now we need to set up a file share and we are going to use smbserver.py from impacket:
Now everything is up and we can run the command:
and normally if everything is good and no firewall blocking us we will have our shell on metasploit or any listener we set up
and the rest is up to us with some fun commands like:
In a normal environment, the firewall will block our DLL so we would need to do some AV bypass and could potentially obfuscate our DLL.
Last updated